A leaked document from the agency responsible for Australia's centralised digital health records reveals an organisation that's still on the defensive. In some cases it's even still in denial about problems with the system.

The document, obtained by Healthcare IT News (HITN), is dated August 20, and contains the Australian Digital Health Agency (ADHA) responses to questions from community representatives on the My Health Record Expansion Program steering group.

"It is a rare backroom view of the ADHA's reaction to the media storm and public data privacy backlash following the start of the opt-out period in July, and shows an agency variously holding steadfast or fixing problems on the fly," HITN wrote on Wednesday.

The issues covered in the leaked document include:

ADHA rejected putting passcodes on records by default. "Should access be closed on creation of a record, this would effectively render the system opt-in. Currently there are 6 million Australians where less than 1 percent of people have set access controls. MHR is a secure system where only healthcare providers involved in an individual's care are able to access a record," it wrote.

ADHA rejected security concerns, contining to claim that it has "strong security, which ensures information is only stored and accessed by trusted connected health systems and users".

According to HITN, doctors have continued to have technical problems registering through the Department of Human Services' Provider Digital Access platform (PRODA). "ADHA said it would introduce an information page at the start of the registration process to help provide clarity and follow up with DHS on the cause of delays," it reported.

Responding to concerns that health records of children in care and other at-risk minors could be accessed, ADHA said that it is "working with all jurisdictions and care agencies to develop a process".

Regarding victims of domestic violence, ADHA said there are strong existing systems in place and, again, that it is "working with jurisdictions and DHS to ensure that an individual's safety is not jeopardised by information potentially found in their My Health Record", and that more changes could be made in future.

Concerns about access to children's records during custody disputes were dismissed, the ADHA pointing to a parent's ability to contact the call centre and suspend the record.

On protecting the privacy of 14 to 17-year-olds, ADHA said it's developing a fact sheet, and working with experts and organisations. "This is in addition to a digital and social media campaign targeting young people commencing 15 August," it wrote, with ads placed on platforms including Spotify and Instagram.

ADHA is still refusing to release statistics on the number of cancellations and opt-outs, but says it will scale up its resources to handle the expected demand in the final four weeks of the opt-out period, which now ends on November 15.

The document also outlined plans to "develop additional information as required for different [at-risk] cohorts, as advised through engagement with the peaks and organisations supporting these individuals". There were also responses to questions about the agency's communications strategy more broadly.

Amidst the political turmoil Australia experienced last week, Health Minister Greg Hunt offered his resignation shortly after introducing legislative amendments that addressed just some of the privacy concerns. However, the resignation was tied to his involvement in the push to dump Malcolm Turnbull as prime minister. His resignation was refused. The new Prime Minister Scott Morrison reappointed Hunt as health minister in his new cabinet announced on Sunday. Michael Keenan also continues as minister for Human Services.

It's clear to this writer that we need more than this piecemeal approach to fixing My Health Record.

Last month Paul Shelter, former head of the Digital Transformation Office (DTO) -- which is now the Digital Transformation Agency (DTA) -- outlined a strategy to fix My Health Record.

"The first thing I would do is acknowledge there is a problem, and that they inherited a previous health record [the PCEHR, or personally controlled electronic health record], which nobody wanted," Shetler told InnovationAus.com.

"They should put an immediate pause on the project and acknowledge that they have heard what the public are saying. And then they should reset the program, returning it to an opt-in system as the very first step. It should be absolutely voluntary.

Shelter called for privacy controls along the lines of Europe's General Data Protection Regulation (GDPR).

"This is really important. They are calling this My Health Record. But right now, this is a Government Health Record, about you. For it to be your health record, the citizen really has to own the data," he said.

Meanwhile, the Senate Community Affairs References Committee has launched a wide-ranging inquiry into My Health Record, covering everything from the expected benefits to privacy and security, and how the system "compares to alternative systems of digitising health records internationally".

The deadline for public submissions is September 14, and the committee is due to report by October 8.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.